b'NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n\n                 OIG REPORT TO OMB ON THE\n           NATIONAL CREDIT UNION ADMINISTRATION\xe2\x80\x99S\n                    COMPLIANCE WITH THE\n               FEDERAL INFORMATION SECURITY\n                     MANAGEMENT ACT\n                           2006\n             Report #OIG-06-06            September 29, 2006\n\n\n\n\n                              William A. DeSarno\n                              Inspector General\n\n\n    Released by:                            Auditor-in-Charge:\n\n\n\n    James Hagen                            Tammy F. Rapp, CPA, CISA\n    Asst IG for Audits                     Sr Information Technology Auditor\n\n\n\n\n                         LIMITED OFFICIAL USE ONLY\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2006\n                                       Report #OIG-06-06\n\n\n                                            CONTENTS\n\n\n\n\nSection                                                                             Page\n\n    I       EXECUTIVE SUMMARY                                                         1\n\n    II      OFFICE OF MANAGEMENT & BUDGET REPORT FORMAT                               3\n\nAppendix\n   A     Independent Evaluation of the NCUA Information Security Program \xe2\x80\x93 2006\n\n    B       NCUA Financial Statement Audits \xe2\x80\x93 FY2005\n\n\nAppendices are limited to restricted official use only.\n\n\n\n\n                                 LIMITED OFFICIAL USE ONLY\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2006\n                                       Report #OIG-06-06\n\n                               I. EXECUTIVE SUMMARY\nThe Office of Inspector General (OIG) for the National Credit Union Administration (NCUA)\nengaged Grant Thornton LLP to conduct an independent evaluation of its information systems\nand security program and controls for compliance with the Federal Information Security\nManagement Act (FISMA), Title III of the E-Government Act of 2002.\n\nGrant Thornton evaluated NCUA\xe2\x80\x99s security program through interviews, documentation reviews,\nand sample testing. We evaluated NCUA against standards and requirements for federal\ngovernment agencies such as those provided through FISMA, National Institute of Standards\nand Technology (NIST) Special Publications (SPs) and Federal Information Processing\nStandards (FIPS), and Office of Management and Budget (OMB) memorandums. We\nconducted an exit conference with NCUA officials on September 6, 2006, to discuss evaluation\nresults.\n\nThe NCUA made noticeable progress in strengthening its Information Technology (IT) security\nprogram during Fiscal Year (FY) 2006. Notable accomplishments include:\n\n   \xe2\x80\xa2   Significant strides in remediation of the significant deficiency noted in the FY2005 report\n       by deploying encryption software to improve security of information stored on examiners\xe2\x80\x99\n       laptop computers, and\n   \xe2\x80\xa2   Completion of the Accreditation package for the NCUA General Support System (GSS).\n\nWhile NCUA has made commendable progress in eliminating the significant deficiencies\nreported last year, our review this year identified the following weaknesses in IT security\ncontrols that deserve immediate management attention:\n\n   \xe2\x80\xa2   Procedures requiring the use of cryptographic security measures for sensitive financial\n       and Personally Identifiable Information (PII) need better enforcement, and Privacy\n       Impact Assessments (PIA) for its systems needs to be developed.\n\n   \xe2\x80\xa2   Certification and accreditation (C&A) of all NCUA systems needs to be completed.\n\n   \xe2\x80\xa2   Password and user account security configurations need improvement, including regular\n       user account reconciliations.\n\n   \xe2\x80\xa2   Personnel security awareness training program needs to be fully implemented.\n\nWe also noted the following other weaknesses in IT security controls that management should\nconsider:\n\n   \xe2\x80\xa2   Security planning documentation needs improvement in consistent version control,\n       revisions/updates, and dissemination to required officials.\n\n   \xe2\x80\xa2   E-Authentication risk assessments should be developed for NCUA\xe2\x80\x99s systems.\n\n   \xe2\x80\xa2   Security configuration guides need to be developed.\n\n   \xe2\x80\xa2   Continuity of Operations Plan (COOP) and Disaster Recovery procedures need to be\n       more consistently updated and tested including the regular testing of NCUA\xe2\x80\x99s Disaster\n\n                                LIMITED OFFICIAL USE ONLY\n                                            1\n\x0c               INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION\n                             INFORMATION SECURITY PROGRAM - 2006\n                                       Report #OIG-06-06\n\n        Recovery and system contingency plans. In addition, restoration priorities related to\n        system impact ratings need to be consistently applied and documented.\n\n    \xe2\x80\xa2   Physical security measures need to be consistently enforced.\n\n    \xe2\x80\xa2   Regular incident response training needs to be conducted.\n\n    \xe2\x80\xa2   NCUA\xe2\x80\x99s Plan of Actions and Milestones (POA&M) process needs improvement.\n\nWe appreciate the courtesies and cooperation provided to our auditors during this audit.\n\n.\n\n\n\n\n                               LIMITED OFFICIAL USE ONLY\n                                             2\n\x0c'